ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Multiple LastPass Vulnerabilities Discovered Recently

<< < (4/5) > >>

rgdot:
We are at the point where either use cases require LastPass or people just want to use more 'convenient' ones and use LastPass (or alikes), as evidenced by the comments on that Arstechnica article, those that mention KeePass seem more prone to downvotes  :-\

Steven Avery:
Hi,

Let's say I have 100 active passwords.  90 of them are DonationCoder, BitsDuJour, various Bible and Business forums.  The only ones that are actively sensitive are financial (banks, credit cards, Amazon, Paypal). Maybe two or three social could be considered a bit sensitive (Facebook, Linkedin).

To what extent do you think that the following group of techniques would allow LastPass web browser continuing:

a) safe browsing techniques (no gambling, porn, etc)

b) Avast or another decent web shield

c) make all important sites have unique user-password combinations

d) 2FA on all sites with financial capabilities

LastPass is in fact very convenient.  And most of what it is used for is non-essential stuff (there used to be discussions about having two "last" passwords, one for critical, one for general, for awhile I tried two LP accounts).   

The goal I see is to make it so that if passwords are stolen,  damage is limited, essentially zero.

I think of 2FA as only affecting the first time signing in from a locale (not sure what is the definition of a locale with a moving laptop).   A cell phone buzz is a very minor extra step in those cases. And a google email is not much trouble. I prefer the buzz because it is more accessible and less hackable.

Switching to a personal Dropbox style alternative is in fact an attractive alternative, e.g. using Keepass, one has to weight the utility lost.

Switching to an alternative web browser alternative (Dashlane?, 1Password?) likely means similar vulnerabilities, although perhaps less likely to be exploited simply because the size of LastPass makes them an attractive target. 

The big help with browser integration is automatic adding and updating of passwords.  You could enter by hand from a vault, but the real-time web browser update help saves time, and helps make sure the passwords are accurate.

Why is not a review of 2FA and password practices on those big 10 (or 20) accounts sufficient?

Steven

wraith808:
We are at the point where either use cases require LastPass or people just want to use more 'convenient' ones and use LastPass (or alikes), as evidenced by the comments on that Arstechnica article, those that mention KeePass seem more prone to downvotes  :-\
-rgdot (March 29, 2017, 08:13 AM)
--- End quote ---


LastPass provides a service, not software.  I don't see why they don't OpenSource their software, so that it can be audited by external sources.  It would do away with these embarrassing episodes.  Vulnerabilities, I'm sure would be found - and I'm sure they happen in KeePass too, but it's not as newsworthy.

(What is alikes?  Couldn't find it with a google search.  And truthfully, I'm having trouble parsing that whole sentence.  :-[)

wraith808:
I think of 2FA as only affecting the first time signing in from a locale (not sure what is the definition of a locale with a moving laptop). 
-Steven Avery (March 29, 2017, 10:03 AM)
--- End quote ---

Notice my requirements above.  Every time I close my browser (or it times out), I have to use 2FA.  Which, because of how they implemented it, requires an active cell signal (MS sends me a text with a number.  I have to text that number back from that device).  Every time I join a meeting with Skype for Business Web Client, I have to log in too- which uses 2fa.  It's a pain in my ass.  I also have to change my password every so often (I think 30 days, but sometimes it's more than that, and sometimes less... so I'm not really sure what the interval is).

rgdot:
We are at the point where either use cases require LastPass or people just want to use more 'convenient' ones and use LastPass (or alikes), as evidenced by the comments on that Arstechnica article, those that mention KeePass seem more prone to downvotes  :-\
-rgdot (March 29, 2017, 08:13 AM)
--- End quote ---


LastPass provides a service, not software.  I don't see why they don't OpenSource their software, so that it can be audited by external sources.  It would do away with these embarrassing episodes.  Vulnerabilities, I'm sure would be found - and I'm sure they happen in KeePass too, but it's not as newsworthy.

(What is alikes?  Couldn't find it with a google search.  And truthfully, I'm having trouble parsing that whole sentence.  :-[)
-wraith808 (March 29, 2017, 11:27 AM)
--- End quote ---


Alikes = alternatives.

Not sure how service vs software distinction is relevant here. All I meant is online is bigger risk and therefore online options are the poorer option unless your use case demands it, I would disagree with the notion that 'I have 100 passwords therefore I need an online service', in my opinion use case needs to be way more than that, needs to be something like yours perhaps Simple case of 'many password therefore I need sync' I don't get.
KeePass can have vulnerabilities but installed in a folder locally the chances of it being hacked is lower, not sure how that is debatable.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version